The security of your data and rewards is a top priority at Rybbon. Every day we ensure that our security reflects industry standards and compliance.
Send eGift cards in Marketo emails

SOC 2 Compliance

Rybbon has completed its SOC 2 ® Type 2 examination. We can provide SOC 2 ® Type 2 reports and attestations of compliance upon request. Rybbon has designed, implemented, and operated its system of controls to meet its service commitments based on the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy.

GDPR & CCPA Compliance

Rybbon recognizes the sensitivity of your personal data. We take holistic security measures to ensure both GDPR and CCPA compliance.

HIPAA Compliance

Rybbon can support rewards programs that need to be HIPAA compliant. Rybbon has a standard Business Associate Addendum (BAA) we present to customers for signature. It takes into account the services Rybbon provides.

Third-party Sub Processors

Rybbon uses third-party Sub Processors to provide various business functions after due diligence to evaluate their defensive posture and executes an agreement requiring each Sub Processor to maintain acceptable security practices.

Physical Security

Rybbon employs AWS, the market leader in cloud services to host its services. Rybbon leverages the functionalities provided by AWS to build a highly scalable, secure and reliable platform. Rybbon employs serverless technologies administered by AWS, eliminating the need for Rybbon to manage and secure servers. The serverless technologies allow Rybbon to scale seamlessly to handle millions of customers

Secure Platform

Servers and Networking

Rybbon employs serverless technologies provided by AWS. Patching and virus protection of the servers on which Rybbon’s application run are also managed by AWS. Additional managed services that we utilize, such as Amazon RDS, S3 and others, are comprehensively hardened AWS infrastructure-as-a-service (IaaS) platforms.


Rybbon stores data such as metadata, activity, original files, and customer’s data in different locations while also compiling and generating documents when requested. All data in each location is encrypted at rest with AES-256 and sophisticated encryption keys management.

Coding and testing practices

Rybbon leverages industry standard programming techniques, such as having documented development and quality assurance processes, and also following guidelines such as the OWASP report, to ensure that the applications meet security standards. Security testing is part of our release testing, and Rybbon performs routine vulnerability and penetration testing every 6 months.

Employee Access

We follow the principle of least privilege in how we write software, as well as the level of access employees are instructed to use in resolving issues in our platform and responding to customer support requests.

Isolated environments

The production network segments are logically isolated from other Corporate, QA, and Development segments.

Customer payment information

Rybbon uses external secure third party payment processing and does not process, store, or transmit any payment card data.

System monitoring and alerting

At Rybbon, the production application and underlying infrastructure components are monitored 24/7/365 days a year, by dedicated monitoring systems. Critical alerts generated by these systems are sent to 24/7/365 on-call DevOps team members and escalated appropriately to operations management.

Service levels and backups

Rybbon infrastructure utilizes many layered techniques for increasingly reliable uptime, including the use of auto-scaling, load balancing, task queues, and rolling deployments. Rybbon’s database servers are stored in geographically redundant sites providing maximum availability and minimal data loss in the event of a disaster. Databases are backed up on a regular basis and backup copies are maintained in geographically redundant locations. All backups are encrypted using AES-256 encryption technologies.

Vulnerability testing

Web application security is evaluated by the development team in parallel with the application release cycle. This vulnerability testing includes the use of commonly known web application security toolkits and scanners to identify application vulnerabilities before they are released into production.

Application architecture

The Rybbon web application is multi-tiered into logical segments (front-end, mid-tier, and database), each independently separated from each other in a DMZ configuration. This guarantees maximum protection and independence between layers.

Incident Management

Rybbon has a documented incident management plan to respond to security incidents. The plan highlights the processes to follow in the event of a security incident, covering customer notifications, escalations within the company and recovery of business operations after an incident.

Business Continuity and Disaster Recovery

Rybbon’s business continuity and disaster recovery plan implements steps necessary to ensure minimal disruption of services in the event of a disaster. To minimize disruption, Rybbon’s infrastructure is hosted on world’s leading cloud platform. Rybbon employs warm stand-by in geographically diverse locations so that service can be restored in a different location in a short period of time if the primary location is impacted. Live database replication to geographically redundant locations allows Rybbon to minimize data loss, and reduce recovery point objective (RPO) of less than a second.